WIXLIB

LICENSED FORDISTRIBUTIONMagic Quadrant for Secure Web Gateways06 June 2016 ID:G00279134Analyst(s): Lawrence Orans, Peter FirstbrookSummaryThe market for secure web gateway solutions is still dominated by traditional on-premises appliances. However, cloud-basedservices continue to grow at a faster rate than appliances, leaving many vendors struggling to adapt.Market Definition/DescriptionSecure web gateways (SWGs) utilize URL filtering, advanced threat defense, legacy malware protection and application controltechnologies to defend users from internet-borne threats, and to help enterprises enforce internet policy compliance. SWGs areimplemented as on-premises appliances (hardware and virtual) or cloud-based services, or in hybrid mode (combined on-premisesappliances and cloud-based services). Vendors continue to differ greatly in the maturity and features of their cloud-basedservices, and in their ability to protect enterprises from advanced threats.As noted in the Market Overview section, cloud-based SWG services are growing more quickly than appliance-based solutions(SWG appliances still represent over 70% market share, as measured by revenue). There are two use cases for implementing acloud-based SWG service. In the more common scenario, enterprises link multiple branch offices directly to the internet, to avoidbackhauling web traffic over their MPLS backbones. The other use case is to protect mobile users, so that their web traffic flowsthrough the SWG cloud service when they are off-network. Based on client inquiries, Gartner estimates that over 80% of cloudbased SWG implementations are driven primarily by the remote office use case. The distinction is important, because somevendors have built cloud services that are optimized for the remote office use case, whereas others have built cloud services thatare optimized for protecting mobile users. This year, we awarded more Completeness of Vision points to vendors that emphasizethe remote office use case and have the proven technology to support it (for example, tunneling traffic from a router to the cloudservice). Vendors that emphasize the mobile user scenario, where every endpoint must be configured to send traffic to theinternet, received fewer Vision points.Advanced threat defense is becoming increasingly important in the SWG market. Vendors must deliver on the promise that theyare truly security products (or services) and not just web filtering solutions. Otherwise, they run the risk of being replaced, becausecustomers have multiple options for web filtering and advanced threat protection. Web filtering is a commodity, and it is widelyavailable as a feature of firewalls, intrusion prevention systems (IPSs) and unified threat management (UTM) systems. Advancedthreat defense is also widely available as a feature of firewalls and from multiple vendors offering dedicated solutions. Nearly allthe vendors in this Magic Quadrant offer advanced threat defense capabilities, but the quality and efficacy of the solutions varywidely.Magic QuadrantFigure 1. Magic Quadrant for Secure Web Gatewaysconverted by Web2PDFConvert.com

Source: Gartner (June 2016)Vendor Strengths and CautionsBarracuda NetworksBased in Campbell, California, Barracuda Networks provides a broad array of cost-effective network and application securityproducts, as well as storage and productivity solutions. In 2016, Barracuda rebranded its SWG appliances — they are now knownas the Barracuda Web Security Gateway. The vendor also offers a cloud-based SWG service, known as the Barracuda WebSecurity Service. The Barracuda Web Security Gateway appliances are good candidates for small or midsize businesses (SMBs)and cost-conscious enterprises.STRENGTHSBarracuda's Instant Replacement program, which provides next-business-day shipping of replacement units, includes a freeappliance replacement unit every four years.Application control is comprehensive (700 applications), and includes granular controls for social media and Google Apps.Barracuda has simplified the challenge of traffic redirection by enabling its NextGen Firewall products to redirect web traffic tothe Barracuda Web Security Gateway.Customers that purchase a Web Security Gateway appliance or the Web Security Service receive free remote filteringcapabilities on Windows/Mac clients, as well as on mobile devices running Apple iOS. Barracuda's pricing model enables it tobe the low-cost alternative in many competitive deals. It charges by appliance capacity, and it does not add a per-usersubscription charge.CAUTIONSDedicated focus on SMBs has resulted in solutions that are missing features favored by large enterprise customers. Lack ofsupport for authentication via SAML is an example of this trade-off.converted by Web2PDFConvert.com

Barracuda's SWG appliances rely heavily on signatures for malware detection. There is very little real-time analysis of webcontent, such as static code analysis.Barracuda has shown minimal commitment to its cloud delivery option. It does not support a hybrid deployment model. Oneconsole is needed to manage on-premises appliances and a separate console is needed to manage the cloud service.Unlike leading cloud-based SWG services, Barracuda does not publish the status and availability of its service on a publicfacing website.Barracuda's SWG offerings do not support advanced threat defense functionality. Neither the on-premises appliances nor thecloud service is capable of automatically depositing suspicious objects in Barracuda's network sandbox.Blue CoatBased in Sunnyvale, California, Blue Coat offers appliance-based SWGs and a cloud-based SWG service. It has the largest marketshare among SWG appliance vendors, and it has the overall largest market share among all vendors in this Magic Quadrant(based on revenue). Blue Coat publishes the availability and status of its cloud service . In addition to its SWG solutions, the vendoroffers a network sandbox, available in an appliance form factor. Blue Coat also offers the SSL Visibility Appliance and theSecurity Analytics platform (a network forensics tool that operates with full packet capture). In May 2015, private equity firm BainCapital completed its acquisition of Blue Coat from Thoma Bravo (also a private equity firm) for 2.4 billion. Bain Capital's statedintent is to prepare Blue Coat for a return to public markets. In July 2015, Blue Coat acquired Perspecsys, a cloud access securitybroker (CASB) with a focus on data security. In November 2015, Blue Coat acquired another CASB, Elastica, which provides abroader set of CASB functions. In November 2015, Blue Coat added a new product to its portfolio, Advanced Secure Gateway. Itcombines two products, ProxySG and Content Analysis System, into a single appliance. Blue Coat's appliances are goodcandidates for most large enterprise customers, particularly those requiring highly scalable SWGs. Blue Coat's cloud service is agood option for most enterprises.STRENGTHSProxySG is the strongest proxy in the market in terms of breadth of protocols and the number of advanced features. It alsosupports multiple authentication and directory integration options.Blue Coat's hybrid offering (cloud service and on-premises appliances) enables operations teams to manage most policies froma single console (although policies can be pushed only in one direction — from the cloud to on-premises appliances).Blue Coat provides strong support for SSL/TLS. All ProxySG models include SSL hardware assist, to offload processing fromthe main CPU. The stand-alone SSL Visibility Appliance can be used to decrypt SSL/TLS traffic and feed it to Blue Coat andnon-Blue Coat security solutions (for example, data loss prevention [DLP], IPS and network sandboxes).Blue Coat's partnership strategy has enabled it to fill gaps in its product line. Partnerships with six endpoint detection andresponse (EDR) vendors help ensure that its customers can complement Blue Coat's network-based advance threat detectionwith an endpoint strategy. Partnerships with FireEye and Lastline enable customers to use their own sandboxes instead of BlueCoat's sandbox. A partnership with Cylance adds signatureless file inspection to Blue Coat's Content Analysis System.Blue Coat's ownership and integration of CASB technology gives it an early mover advantage in this emerging market.CAUTIONSBecause Blue Coat's appliance-based SWG requires multiple components, it is an expensive offering. Blue Coat proxies requirethe Content Analysis System to deposit files in its Malware Analysis Appliance (a network sandbox). Customers pay extra forthe Content Analysis System functionality, whether they purchase it as a dedicated appliance or they purchase AdvancedSecure Gateway (integrated ProxySG and Content Analysis System). Blue Coat is one of the few vendors in this Magic Quadrantto charge extra for its reporting functionality and management console.Blue Coat lacks a cloud-based network sandboxing service.Blue Coat's strategy for on-premises DLP is weaker than several of its key competitors in this Magic Quadrant. Blue Coat doesnot own its DLP technology; it is licensed from Digital Guardian. Should Digital Guardian's status change, Blue Coat's DLPstrategy could be negatively impacted.CiscoCisco, based in San Jose, California, offers the Web Security Appliance (WSA; and virtual appliances) and a cloud-based service,Cloud Web Security (CWS). Cisco provides status and availability data for its cloud service . In 2016, the vendor introduced its hybridsolution by enabling its cloud service to configure and manage policies on Cisco SWG appliances. However, unified reporting isstill evolving (see the Cautions). Cisco has also integrated its Cognitive Threat Analytics (CTA) with its appliances (previously,CTA was only available as a feature of Cisco's cloud service). Cisco states that it doubled the performance of its WSA appliancesby optimizing proxy code and porting the solution to a new hardware platform. Cisco's WSA is a good solution for most midsizeand large enterprises, while CWS is a good option for most enterprises.converted by Web2PDFConvert.com